Comment by croutonwagon

I moved over to opnsense this weekend in a few locations. Will do more over time. In the few locations where an official appliance is used, I will likely move to swap those down the line.

Ive used pfSense since well before netgate even existed, and enough its not just in use in my home or lab. I generally dont made decisions based on bad PR or internet drama. So i didn't really bother to move over the AESNI stuff, or even the gnid/build tools etc. Though the gnid thing was what opened my eyes to what netgate was doing.

But their choice to diverge their code to basically closed source [1] and only contribute minimally to the CE, and leave it on people using CE to "enable" their features/changes leaves me with little choice but to move on. I use products like these because they are open to audits and fixes both for bugs and vulnerabilities. In the cases where I have used close source devices, especially at an edge location, its been with a trusted company with a storied history of security focus (like Cisco, Proofpoint, Palo Alto etc).

Netgates decisions on 2.6/pfsense+ basically mean that I would need to trust the security of the device to a small number of people that have a history of reacting very poorly to any question or criticism. And the pattern of moving their code base to something that isn't open to audit's/researchers eyes gives me practical reason to stop using or recommended their products. Which is something I find unfortunate. Its not just the wireguard thing in a vaccuum, its the pattern over time coupled with the choices they have made.

All that said my initial moves to opnsense have been mostly positive.

[1] https://www.netgate.com/blog/announcing-pfsense-plus.html